Using out-of-band for stronger in-band network security

Whether the network is up or down, Uplogix is a secure gateway for policy enforcement and compliance.

Secure access on a closed platform

Network security is more critical than ever. The security features of the Uplogix platform were initially developed for customers in finance and the military, but many enterprises are finding they need similar functionality. You need to know that your network is locked down inside and out and be able to prove it. With the average cost of a security breach increasing yearly, what business today doesn’t need reliable network security?

Uplogix is a secure, closed appliance. The underlying Linux OS does not have root access, which eliminates threat vectors possible with an open console server. Beyond the separation from the OS, the Uplogix platform is FIPS 140-2 Level Two Certified — not just a component of the solution like a FIPS-certified Open SSL library. Our solid state hard drives are available with AES-256 disk encryption, and only the SSH port is open by default.

All configuration and features for managing devices are governed by powerful and granular authorization controls with every activity and change logged and archived to the NOC. With features that automate device monitoring, maintenance and recovery, scripting isn’t necessary, avoiding another threat vector.

Not all console servers are created the same. In addition to all of its security functionality, Uplogix is a closed appliance. Other console servers are open implementations of Linux which could mean trouble.

We should talk...

In the heat of the moment when network problems arise, urgency often prevails over security. Break-glass root passwords are issued to empower technicians to console connect to devices and resolve issues, any centralized administrative audit is off-line, and carefully crafted policies intended to protect data are quickly bypassed. This is precisely the circumstance that sets the stage for a serious breach, unintended or not.

Uplogix WAN Traffic Failover (WTF)

A WAN router experiences an outage (A) that prevents it from sending local traffic back to the headquarters via its WAN.

Both the router and the Uplogix Local Manager (LM) detect the outage. The LM brings up its LTE cellular out-of-band connection when the Pulse test fails and the router changes its default route to be the Uplogix LM (B).

The router sends all (or select) traffic through a VPN over the cellular network back to the NOC while the WAN is down (C). The LM builds a VPN over the cellular WAN back to the NOC that is used for all network management traffic to and from the remote site.

The router and the LM continue to monitor primary WAN connectivity. When the router detects that the WAN connection is restored, it changes the default gateway for its traffic back to the WAN. When the LM detects a healthy WAN connection, it tears down its VPN and the cellular LTE out-of-band connection, and returns to communicating over the WAN.

Key Security Capabilities

Uplogix extends role-based administrative access policies to devices with detailed auditing and reporting for compliance when the network is up, or down. Some of the specific cybersecurity functions include:

Maintain and enforce AAA (Authentication, Authorization and Accounting of the state of the network. Under normal circumstances, Uplogix Local Managers (LMs) integrate with remote multi-factor authentication mechanisms, such as TACACS and Radius, but if connectivity is lost, the LM can failover to other AAA servers before falling back on cached authentication data to maintain authorized access.

Prevent unauthorized user access by automatically closing idle sessions, eliminating a potential security gap. Uplogix also ensures that the right users have the right access by enforcing granular, role-based permissions.

Enable audit and compliance reporting by constantly logging all changes made to managed devices and the results of these changes.

Improve overall security by restricting access to specific IP addresses and encrypting passwords stored in the database, and by automating management functions related to security enforcement, like updating the access passwords on hundreds of managed devices at once.

Uplogix TechTip: Granular Authorization and Access

Uplogix provides highly configurable and granular role-based administrative access to managed gear. Role-based access controls and complete activity logging (including system prompts and responses) are maintained even when the network is down.

Keep Up.

We're turning traditional out-of-band management inside out by deploying intelligent monitoring and automation to where network devices are to improve security, performance and availability. It's like having a virtual onsite technician.